November 2nd, 2005

How Can I Determine the Name of the Local Administrators Group?

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I determine the name of the local Administrators group? This can vary depending on the operating system language; for example, in German the name of the group is Administratoren.

— DS

SpacerHey, Scripting Guy! AnswerScript Center

Hey, DS. You know, the first thought that popped into our heads when we read your question was this: just call Scripting Guy Peter Costantini. After all, Peter speaks every language known to man (plus several others not known to man). If anyone can identify the local Administrators group for you Peter can.

Unfortunately, though, there were two problems with that idea. For one, we can never guarantee which dimension Peter will be in; he has a bad habit of upsetting the laws of time and space. More important, even speaking scores of languages might not be of much help if the local Administrators group has been renamed. In a case like that, even on a German version of Windows the local Administrators group wouldn’t be named Administratoren. Instead it would be, well, whatever someone renamed it.

With that in mind, we decided to try a different approach: use a script. Here’s a script that will return the name of the local Administrators group on a Windows XP or Windows Server 2003 computer (we’ll show you a Windows 2000 version momentarily):

strComputer = “.”

Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2”)

Set colAccounts = objWMIService.ExecQuery _ (“Select * From Win32_Group Where LocalAccount = TRUE And SID = ‘S-1-5-32-544′”)

For Each objAccount in colAccounts Wscript.Echo objAccount.Name Next

As you can see, this is a fairly simple – and fairly straightforward – WMI script. It begins by connecting to the WMI service on the local computer; to connect to the WMI service on a remote machine just assign the name of that computer to the variable strComputer. For example, this line of code causes the script to connect to the remote computer atl-fs-01:

strComputer = “atl-fs-01”

Next we have this interesting little snippet of code:

Set colAccounts = objWMIService.ExecQuery _
    (“Select * From Win32_Group Where LocalAccount = TRUE And SID = ‘S-1-5-32-544′”)

What we’re doing here is querying WMI for all the groups on the computer that meet the following criteria:

The value of the LocalAccount property is True. This is an important part of the query, because it limits WMI to examining local accounts. Leave this out and WMI will examine each and every group in Active Directory.

The value of the SID property is S-1-5-32-544. The SID (Security Identifier) is a unique number that the operating system uses to identify an account. That’s one reason why you can change the name of the local Administrators account without worrying that the local admins will now lose access to everything. For the most part, the operating system ignores the account name and uses the SID instead. And that’s a value that never changes.

So is there some significance to the value S-1-5-32-544? As a matter of fact, there is: this happens to be a “well-known SID,” and it always references the local Administrators group. In other words, if you can find a local account with the SID S-1-5-32-544, then you’ve found your local Administrators group. It’s that easy.

The rest of the script simply sets up a For Each loop and walks through the collection of local groups with the SID S-1-5-32-544, echoing back the name of each group. Because SIDs must be unique on a computer and because S-1-5-32-544 has to refer to the local Administrators group, this collection will consist of one, and only one, item: the local Administrators group. This should work just fine, regardless of the operating system language or the actual name of the local admins group.

The one drawback to this script, as we noted, is that it runs only on Windows XP and Windows Server 2003. But don’t worry: we’d never forget you Windows 2000 users. Here’s a revised script that runs on Windows 2000, Windows XP, Windows Server 2003, and even Windows NT 4.0:

strComputer = “atl-fs-01”

Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2”)

Set colAccounts = objWMIService.ExecQuery _ (“Select * From Win32_Group Where Domain = ‘” & strComputer & “‘ AND SID = ‘S-1-5-32-544′”)

For Each objAccount in colAccounts Wscript.Echo objAccount.Name Next

The reason our original script won’t run on Windows 2000 is because, prior to Windows XP, the Win32_Group class did not support the property LocalAccount. Therefore, we’ve made two minor modifications to this script:

We bind to the local computer by name (instead of using the dot, WMI shorthand for the local computer).

In our query, we don’t look for groups where the LocalAccount is set to True; after all, the LocalAccount property isn’t available to us. Instead, we look for groups where the value of the Domain property is equal to the name of the local computer. As you might have guessed, those will be local accounts.

If you find yourself traveling forward or backwards in time, you might run into Peter; if so, he can probably help you determine the name of the local Administrators group. If you don’t do much time-traveling, however, then the scripts we showed you today should make for a reasonably good Plan B.

Author

0 comments

Discussion are closed.